Why does Firefox no longer recognise certificates issued by Multicert / Camerfirma?



  • Today I noticed that Firefox 88.0 beta (on macOS) is rejecting TLS certificates for many Portuguese websites – including most government websites – with the error SEC_ERROR_UNKNOWN_ISSUER.

    Example sites:

    These certificates all have in common that they are issued by Multicert (CN: MULTICERT SSL Certification Authority 001), which is itself certified by Camerfirma (CN: Global Chambersign Root - 2008).

    I cannot tell from the error which part of the certificate chain (Multicert or Camerfirma) is "unknown", and nor can I find any information about a revocation online (though I can see that Camerfirma has been plagued with poor security practices for years).

    The same websites currently load fine in release versions of Safari and Chrome, as well as Firefox 78.9.0esr.

    • Why is this major European CA "unknown" in current Firefox beta?
    • Has there been a security incident with Multicert or Camerfirma that I should be aware of?


  • It appears that Camerfirma was revoked from Mozilla Firefox 88:

    As many of you have pointed out, there do not appear to be remediation actions that Camerfirma can take at this time to sufficiently reduce the risk of continuing to keep the Websites trust bit enabled for the Camerfirma root certificates. Note that Camerfirma has indicated to us that they are exiting the TLS certificate business.

    ...

    ...we intend to turn off the Websites trust bit for the following root certificates in our upcoming batch of changes to Mozilla’s root store, which is expected to happen in Firefox 88

    The "..." elision above contains a number of their reasons why, which have a lot in common with the list of poor security practices you've already provided.

    Chrome 90 will take the same action.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2